Source Code Discovery Sheds Light on the Business of Malware

It’s nothing new to understand that malware writers have developed a commercial acumen. It has been this way ever since criminal enterprises first cottoned on to the financial benefits of illegally monetizing people and businesses through their computer systems.

However, research has come to light recently which shows in tantalizing detail exactly how this is true in the modern threat environment.

The recent uncovering of the Carbanak source code on VirusTotal by FireEye has been an eye-opener into the sophisticated factory-line product development techniques used to create and, more importantly, build a commercial-scale and particularly dangerous form of malware.

Known to have been used by the advanced persistent threat group FIN7 to exfiltrate millions of dollars from financial institutions, Carbanak is a particularly sophisticated trojan, employing a variety of different targeting methods which provide attackers with a foothold into their targets. While APTs are generally defined by their persistence, as per Lockheed Martin’s Cyber Kill Chain model, Carbanak is a different beast in business terms.

Each Carbanak campaign was designed to carry out a specific set of actions; having identified the critical systems within a financial institution’s networks, for example, its key objective was to siphon money off to attacker-controlled accounts. Unlike other APTs, though, Carbanak didn’t hang around, rinse its time on a target and risk being caught: instead, it would cover its tracks as best as it could, and move on to start another campaign.

Indeed, by forsaking persistence in this way, it could instead be described as focusing on the “advanced” in APT, as opposed to being persistent.

This speaks of a collective that is well-versed in the benefits of maintaining anonymity. For this group, it could be argued that the ‘business’ strategy was one of rapid monetization. It had learned that infiltration was a given, but discovery was only a matter of time so, instead, it developed a range of different opportunities at target institutions and treated the attacks like a numbers game. As any salesperson will tell you, it’s good to have a number of different opportunities in the sales funnel.

Beyond the sophistication of the malware in question, and the length of time it remained undetected, the source code itself revealed an interesting and, for security professionals, somewhat worrying approach to the development of its core product, which borrowed from modern DevOps theory.

DevOps teams are not to be made up of just one person operating in solus. The whole point is that lots of people work in tandem to push forward the development of a piece of software so it can be as flexible as quickly as possible. They will typically comprise a team of people who treat what they do as a portion of a job so there is a) no single point of failure, and b) a variety of different options. As with most other jobs, these people come in, do their work, and then go home again.

This being the case, however, means that those developing APTs will face the same issues as most other bosses. There will be illnesses, holidays, career changes, and myriad other things that might disrupt the flow of business.

It’s important for APT success, therefore, that malware is written in such a way that it can be easily given to any member of the team with the assurance that they’re able to produce a product of the same high quality that a campaign’s creators have come to expect. If those creators want to scale up their campaigns, they must ensure that any new team member is able to quickly and easily get to grips with the task at hand.

Analysis of Carbanak’s source code revealed a series of features that would allow it to be iterated by a team of developers in just this way, removing the risk of being hindered by single points of failure, such as a key malware engineer being off sick or moved onto another task. Essentially, it was a highly effective software assembly line.

The efficiency of Carbanak’s design was very much in the efficiency of its operation. Among its 100,000 lines, the Carbanak source code was found to contain a number of expertly-written preprocessor directives – instructions to any developer generating an executable for an attack on how to format important sections of the code.

Formatting the code as instructed means that any obfuscation and added layers of complexity – techniques used to protect the contents of programming code by making it difficult to understand – would be carried out by the program itself, thus minimizing the possibility of any errors occurring.

By leaving such encryption techniques in the hands of authors that clearly know what they’re doing, it’s therefore possible to distribute the builder software to attackers with less experience in writing malware, but who are then able to create hardened malware of the same high quality without the risk of jeopardizing any campaign. Also, should any “staffing issue” arise, it would guarantee business as usual.

Given its considerable value to the group, it’s highly unlikely that the Carbanak source code was ever intended to be made public or sold on. Despite the widely-held belief that the group no longer uses this particular strain of malware, however, its discovery has allowed security researchers to better understand how FIN7 operates. Malware is a serious business, and this source code reveals how FIN7, at least, are serious about that business.

Ben McCarthy is a Senior Content Engineer at Immersive Labs. He specialises in analysing and reverse engineering malware to create gamified cyber skills content for in-house security teams. He has also trained security teams in malware reverse engineering to assist in digital forensics and incident response.